Protected software rental using smart cards

ABSTRACT

System comprising a central processing unit and a dedicated unit. Said dedicated unit receives a communication protection module which controls a sequence controlling module containing a state machine and a cycle counter, a timing module activated by said sequence controlling module and a software protection module also activatable by said sequence controlling module.

BACKGROUND OF THE INVENTION

The present invention relates to the renting ot computerized means(software and/or hardware) in accordance with a schedule which dependson the actual use of this facility.

This schedule can be compiled on the basis of various measures such asthe period for which a piece of software is made available, the durationof use of this piece of software, the number of transactions made ordossiers created, the number and quality (difficulty or rarity) ofcalculations, the number and quality of files consulted, especially, andmore generally of any computing or remote-computing service madeavailable to a user, and the operation of which is enabled at least inpart by the said software.

A fair number of proposals have already been made for providingprotection for the supplier (or designer) of a piece of software,especially: EP-A-0,430,734; IEICE transactions, vol. E 73, No. 7, July1990, JP, pp 1133-1146; EP-A-0,265,183.

Thus, the concept is known of a computerized device, of the typeincluding:

an operational facility, comprising at least one central processingunit, together with memory means allowing it to load an operating systemand to implement at least one piece of software on the basis of thisoperating system, and together with at least one connection interfacewhich can be accessed through a function of the operating system, and

a dedicated unit including a removable memory medium reader, such as asmart-card reader, connected to the central processing unit by the saidconnection interface of the latter,

while the software includes specific calls to the dedicated unit, forthe purposes of conditioning the conduct of the execution of the saidsoftware, depending on the state of certain data contained in theremovable memory medium.

This is done in EP-A-0 430 734, with the intention of the softwaresending results to the smart card which it will have to be able toretrieve therefrom subsequently, failing which the software cannot befully executed.

These known solutions are not entirely satisfactory from the securitystandpoint, it being observed that a perfect security system isinconceivable.

SUMMARY OF THE INVENTION

The invention is therefore aimed firstly at improving security asregards protecting a piece of software against unauthorized use.

The invention is aimed, more precisely, at improving this securitysufficiently for it to be possible for example to rely on it for pricingthe charges for renting the software, as will be seen later.

The object of the invention is also to provide a solution which isapplicable for several renters, several pieces of software and severalpossible simultaneous lessors.

The Applicant has observed that the difficulties of implementationoriginate from the manner in which the rental and protection processesare associated.

The invention stems from a computerized device of the aforesaid type.

According to one aspect of the invention the specific calls areconfigured in the form of communication commands, possessing sendarguments, and whose completion state is suspended while awaiting aresponse of particular form, and the removable unit comprises:

a communication security module capable of disabling the response to acommunication command originating from the central processing unit,depending on first conditions involving the expression of thecommunication command, and information contained in the card, and

at least one responsive module capable of recognizing such acommunication command and of according it a favourable response, in thesaid particular form, only if second conditions pertaining to thearguments of the said command and to information contained in the cardare complied with.

The responsive module can be a usage metering module, such as anelectronic purse and/or a time metering module.

Provision may then be made for the said response of particular form toinclude a first state, affording authorization of normal operation ofthe software, and a second state, affording authorization of operationat the very most only in downgraded mode (reduced capabilities).

BRIEF DESCRIPTION OF THE DRAWINGS

Other characteristics and advantages of the invention will emerge onexamining the detailed description below, and the attached drawings inwhich:

FIGS. 1, 1A and 1B are the general diagrams of three examples ofinstallations in which the invention can be implemented,

FIGS. 2, 2A illustrate diagrammatically the "removable medium" part ofthe implementation of the invention, and

FIGS. 3 and 3A illustrate diagrammatically two versions of a handlerused in one embodiment of the invention.

DESCRIPTION OF THE PREFERRED EMBODIMENT

Being elements pertinent to security, it will be understood that certainparts of the device are described only as regards their principle.

Before describing the invention in detail, it is useful to recall all ofthe known solutions.

Certain rental processes are based on the number of transactions countedbetween a remote unit (placed under the control of the supplier) andlocal units; other rental charges are based on the time spent by theremote unit in processing these transactions. In both cases, accountingis performed by the remote unit.

In parallel with this, processes have been proposed which use electronicboxes which perform the decrementation of a counter on command from theleased software. These boxes are in general connected to a communicationport of the computer. Depending on the variant, reincrementation of thecounter is effected by inputting at the keyboard a code forwarded by thelessor, or via a link with a central computer. In all these cases, sincethe protection is either software-based or based on passive technology(ROM, epROM, eepROM or e2pROM), it does not offer a level sufficient forrental.

Other processes propose an electronic box incorporating amicroprocessor. As these boxes, although removable, are not designed tobe frequently connected and disconnected from the system, implementationis incompatible with the commercial constraints as soon as this systemis associated either with several pieces of software, or with severalrenters.

Microchip (microprocessor or so-called hard-wired computational logic)card systems have also been proposed which contain a counter which isdecremented on the basis of the time measured between two successivecommands of the software; these commands normally intervene at knowntime intervals. Implementation of this process requires incorporating atiming interrupt command when this time is uncertain. Now, thisinterrupt command considerably weakens the level of security accorded bythe microchip card.

Still other solutions invoke the means of incorporating, into theprocess, a module for protecting the leased software and a counter whichis decremented in line with use; when this counter runs out, theprotection module is disabled, thus causing the software to lock up.Now, in most cases, it is desirable for the software to continue tooperate, with reduced capabilities (down-graded mode), neverthelessremaining protected against fraudulent use.

None of this, therefore, is really satisfactory.

The invention stems from a computerized facility which includes, in FIG.1, at least one central processing unit 1, to which is adjoined adedicated unit 2. These two units can communicate with each other, viaan appropriate interface, which may be a port of the central processingunit, for example the serial port of a microcomputer, or again aconnector of a peripheral controller mounted on an internal card, or onthe mother card.

The central processing unit 1 is made up of computer hardware and/orsoftware and/or files, at least a part of which is delivered either on aportable mass memory of the diskette 15, or compact disc 16 kind, or aspermanent (epROM) or backed-up memory. This "delivered part" maycomprise executable files (such as programs) or non-executable files(such as databases, or other data files, including audio and/or video,for example).

As a variant (FIG. 1A), a local central processing unit 12 is connectedby modems (or some other link) 129 and 119 to a remote or suppliercentral processing unit 11 which, in this case, contains, on internal orexternal mass memory, part at least of the useful software and/or files.It is in principle necessary for a--small --part of the software toreside in the local station. In this instance these will be the minimaluser interface functions for presenting the results of the service tothe user, and the minimal functions (debit) to be executed on the smartcard.

According to another variant (FIG. 1B), a wire transmission arrives atthe modem 129, or else a radio transmission arrives at the receptionfacility 139. The local part of the computerized facility can then bebased on a microcomputer station, as before, or else, as represented, ona unit 13 (games console for example) which cooperates with the monitorpart of a television receiver 14.

In these three modes, which are non-limiting examples, the local unit 1,12 or 13 is linked to the dedicated unit 2.

In what follows, the case of FIG. 1 will be adopted for simplicity. Itwill also be assumed that the dedicated unit 2 is linked to a serialport of the central processing unit 1 (although other links, especiallyto a PCMCIA port could be envisaged).

The operating system of the local processing unit 1 supplies a functionor primitive for access to the serial port concerned.

The software to be executed includes calls to this access primitive, soas to be able to access the interior of the smart card 21.

According to one aspect of the invention, these so-called "specific"calls are configured in the form of communication commands, having sendarguments, and awaiting a response of particular form. The sendarguments are for example an identifier and a code respectively. Thecompletion state of the specific call is suspended while awaiting thesaid response of particular form, which will condition the manner inwhich the execution of the software will be conducted. Of course, thissuspension can be bounded by a maximum waiting time, at the end of whicha negative response is presumed.

Thus, in other words, the local processing unit can execute commands forcommunication with the dedicated unit 2, the results of which authorizeor disable normal or downgraded execution of this local processing unit1.

For most applications, one of these commands will be of the "DECREMENT"type. It can be produced directly or else implicitly in association withanother command.

Very generally, the dedicated unit 2 is made up of at least oneremovable part termed the card, for example a smart card 21, and of acard reader. Incorporated therein are modules which include processingmeans capable in particular of formulating the results of communication,on the basis of their own defined information stored or calculatedbeforehand.

The card 21 includes at least one communication security module 6 whoserole is to make secure the exchanges of information between the centralprocessing and dedicated units. As illustrated in the drawing byswitchovers 251, this module 6 is able to intercept, in one and/or theopposite direction, part at least of the communications between thelocal processing unit 1 and the card 21, over the lines 203 to 207. Thiscan be done by various kinds of control checks exercised on the flowingdatastream. For example, the data of the stream can be enciphered orsigned with the aid of a key which can be determined from theinformation contained in the memory (not represented) of the card 21.Any error of encipherment, respectively of signature, translates intothe intercepting of the datastream placed under the control of themodule 6. An error response destined for the central processing unit 1is preferably appended thereto.

Thus, the module 6 exercises access control on one or more otherso-called "responsive" modules, among which has been represented a usagecounter 3, a time metering module 4 and a sequence control module 5.

More generally, this signifies that a hierarchy can be established inthe "responsive" modules. A responsive module of higher priority canthen intercept the commands addressed to other responsive modules oflower priority. The establishing of this hierarchy will depend on theapplications, the illustration in FIG. 2 being merely an example ofthis.

Thus depicted, the proposed device offers a cascade of modules, each ofwhich conditions access to those which follow (of lesser priority), downto the lowest priority level, which contains in particular theaccounting functions related to the renting of the software (to whichmay be added other conditions), and ultimately conditions the conduct ofthe operations of this software.

On delivery the usage counter 3 contains a software use credit which canbe read and/or decremented by the software in line with its use, underthe control of the communication security module 6 and, as the case maybe, of the sequence control module 5. Preferably, every decrementationoperation is accompanied by a reading of the new value of the credit.

It may be beneficial to make provision for a command to be interpretedby the card as the combination of this command and another, implicitcommand. For example, a DATA command (201) can implicitly generate, inthe card, a DECREMENT command.

In a particular embodiment, use is made of the sequence of states of thesequence control module 5. Changes of states are due to correspondingcommands originating from the central processing unit 1, under thecontrol of the communication security module 6, and/or to internalevents in the card.

FIG. 3 and FIG. 3A are illustrations of a handler and the statesthereof. Two states at least are necessary (states I and II). However,as the card is removable, and hence can be inserted and withdrawn, thesequence proposed according to the invention is as follows:

insertion 308: transfer to state I (311)

engagement 309: transfer to state II (312)

disengagement 310: transfer to state III (313)

withdrawal 308 and await insertion.

The card can be withdrawn and reinserted in the course of each of thestates I (311) and II (312) without affecting this sequence. Thispresupposes that the handler of the module 5 is constructed in eepROMmemory.

This sequence is intended, in particular, to oblige a fraudster towithdraw and reinsert the smart card into the reader with eachengage/disengage simulation of the metering module, thus considerablyslowing down the operations and making his task laborious.

Stated otherwise, the above is a looped handler with two (FIG. 3A), orpreferably three states (FIG. 3) at least, with which are associatedtwo, respectively three transitions. Entry into a state is permittedonly in the presence of the transition associated with this state.

One of the transitions is the withdrawal/reinsertion of the card. Asecond transition is produced in the presence of one at least of thecommands (at most, all of them, except, as the case may be, thedisengage command) coming from the local processing unit 1, and/or uponan internal event in the card (and emanating from one of the othermodules). The third transition is produced either in response to adisengage command, or likewise upon an internal event in the card, suchas the exceeding of a maximum period during which the card has receivedno command.

The intermediate state II (awaiting "disengage") then serves as thebasis for enabling certain functions in the card, such as time metering,which in turn conditions usage metering, or else command, and alsocontrol of the protection of the software, about which more will be saidlater.

As indicated by FIG. 3A, it is possible, for certain applications, torestrict the handler to two states, and the two transitions termed"engagement" 309 and "disengagement" 310 alone.

Although it is conceivable to do without it, the sequence control module5 is currently regarded as providing an important security element.

This sequence control module 5 can contain a cycle counter. This counterdecrements one credit of cycles each time a chosen one of the states isentered. In the case of the three-state handler, this counts the numberof times the card is withdrawn or inserted into the reader. When thiscredit is zero, any communication controlled by the sequence controlmodule 5 is disabled (252).

Thus, a fraudster who might have succeeded in developing a mechanical orelectrical system capable of simulating the withdrawal and insertion ofthe card is limited in his operations by the number of possible cycles,this being relatively restricted in the case of normal use.

In other words, the sequence control module 5 exercises at 252 a secondlevel of interception on the communications with the other modules, here3 and 4. This control module 5 could moreover be regarded functionallyas a constituent of the security module 6.

Preferably, the dedicated unit moreover includes a software protectionmodule 7. The latter's exchanges of data with the local processing unit1 may escape the control of the communication security module 6,especially if this software protection module incorporates a differentencryption process, which is redundant or incompatible with that of thecommunication security module. In a known manner, this module 7 respondsto input data 201 via results 202, in accordance with a rule whichdepends on information contained in the card, with the desired degree ofcomplexity.

It is advantageous (link 210) to render the module 7 active at the sametime as the state II (312) generated by the sequence control module 5.In this way, the software can function only if the dedicated unit hasreceived an engage command, thus obliging execution of the sequence inspite of any attempt at fraud. As the disengage command does notintervene during normal operation of the software, any attempt atsimulation of this disengagement will lock up the functioning of thesoftware.

The dedicated unit can also include a time metering module 4 which runsa timer when this module is active.

This time metering module 4 disables (253) communication between thecentral processing unit and the usage counter 3 when the timer reaches apredetermined value.

Preferably, the time metering is implemented only during the state II ofthe sequence 5: the timer is activated (link 212) only when the sequencecontrol module 5 has received an engage request 309, that is to say whenthe software is actually being operated (and not as soon as thededicated unit is in service).

This function is intended, in particular, to define an "expiry period"for the card, not to be confused with any possible expiry date for thiscard, which may be managed by the communication security module 6.

The remaining period of this time metering module 4 can be read (205) bythe central processing unit, under the control of the communicationsecurity module 6, and, as the case may be, of the sequence module 5.

The time metering module 4 can, internally, read (217) or decrement(216) the usage counter 3.

The engage request 309 and disengage request 310 of the sequence controlmodule 5 can be activated internally in the dedicated unit 2:

engagement is effected implicitly on each communication with the centralprocessing unit,

disengagement is effected if no communication has taken place for apredetermined duration.

FIG. 2A illustrates an example of an applicable smart card. The linesissuing from the connector are applied to a processing unit 20, equippedwith a clock (not represented), and accompanied by a program memory 29.Added thereto are the encryption element 26, which comprises the basicsof the module 6, the epROM element 27, which can contain customizedencryption functions, the e2pROM element 23/24, which comprises thefunctions of the modules 3 and 4, and lastly the random-access memoryelement 25, which can contain the sequence control handler, while itspossible counter is eepROM-based, in order to retain a memory record ofthe counting.

In a first particular embodiment, the smart card is of the COS type fromthe company GEMPLUS:

i) this card can incorporate an electronic purse function, constitutingthe usage counter module 3,

ii) the module 6 is built on the basis of a DES type encryptionalgorithm, customized through a secret set, protecting in particular themodule 3,

iii) the DECREMENT and READ commands are of the form:

DECREMENT (Identifier, Session₋₋ key, Transaction₋₋ No., Debit₋₋amount),

READ (Identifier, Session₋₋ key, Transaction₋₋ No.),

iv) the awaited response is a certificate which will be an encryptedfunction of the above data,

v) the modules 4 and 5 are constructed by the expanding of instructionsin eepROM or epROM, what engineers term a "specific mask". In respect ofthe module 5, this involves constructing the handler appropriate to thesequence described; the function of the module 4 is technically similarto that of the module 3, without external decrementation order, with useof the clock of the microprocessor of the card,

viii) the software protection module 7 can be constructed in any knownappropriate manner, for example with the DES algorithm of the card, inorder to decipher certain parts of the commands, enciphered beforehandin ECB mode.

In a second particular embodiment, in which the functions of the modules4 and 5 are not deployed, the smart card is of the SCOT 30 type from thecompany BULL CP8. Implementation is as follows:

i) in respect of the module 3, at least one memory area is defined,forming a counter,

ii) this module 3 will be accessible only on input of an identifier anda code, which are checked by the communication security module 6, withrespect to their values stored in the card,

iii) the DECREMENT and READ commands are then of the form:

DECREMENT (Identifier, Code, Debit₋₋ amount)

READ (Identifier, Code)

iv) the awaited response is:

OK (remaining₋₋ credit), or

NOTOK (Error₋₋ type)

v) the module 7 can use the DES standard algorithm of the card, todecipher certain parts of the commands, enciphered beforehand in ECBmode.

It is clear that the implementation of the invention depends to acertain extent on the technology of the card used. However, theinvention remains at least partially applicable whatever thistechnology, provided that the card incorporates a processing unit.

This being so, the expression "operating system" is here to beinterpreted in the broad sense, and extends to any set of hardwareand/or software functions making it possible to run a piece of softwareand to access at least one peripheral.

The dedicated unit 2 can contain several groups of modules, distributedin one or more cards, each corresponding to a central processing unit,renter, lessor, piece of software or other use unit. The word softwareis here used in the broad sense, and is aimed at both a program as wellas all files or services made available to the user.

Each of these groups is assigned arguments of the commands which are atleast in part different.

The example may be taken of two companies who propose common softwarebut who wish to remain independent of each other. The benefit may beappreciated of a card which functions with two separate groups ofmodules, but which locks-out the use of the software on the request ofone or other of these groups.

In practice, it is possible to use a disposable card, credited only onceduring manufacture, or a card which can be reloaded, possibly remotely.Furthermore, the expression "dedicated unit" implies merely that thisunit at least partly escapes the control of the central unit; it doesnot preclude the dedicated unit from being physically built into the boxof this central processing unit.

From another standpoint, it is clear that the invention could also beexpressed in the form of processes, and that it applies not only tosmart cards, but also to any type of portable object suitable foraccommodating similar capabilities, such as for example "smart keys".

What is claimed is:
 1. A computerized device, comprising:a centralprocessing unit having a memory in to which is loaded an operatingsystem, said central processing unit having at least one connectioninterface which can be accessed through a function of the operatingsystem; a dedicated unit including a reader of a removable memorymedium, such as a card, connected to the central processing unit by theconnection interface; software, operable on said central processingunit, having specific calls, to the dedicated unit, for conditioning theconduct of the execution of said software on the state of data in theremovable memory medium, the specific calls are configured in the formof communication commands, processing send arguments, and whosecompletion state is suspended while awaiting a response of particularform; the removable unit having a communication security module capableof disabling the response to a communication command originating fromthe central processing unit, depending on first conditions involving theexpression of the communication command and information contained in thecard, and at least one responsive module capable of recognizing thecommunication command and of according a favorable response, in theparticular form, only if second conditions regarding the arguments ofthe communication command, and the information contained in the card arecomplied with.
 2. A device according to claim 1, wherein at least someof the communication commands are interpreted by the dedicated unit ascombining several functions.
 3. An device according to claim 1, whereinthe dedicated unit consists of several groups of responsive modules,assigned to arguments of the communication commands which are at leastin part different.
 4. A device according to claim 1, wherein thededicated unit includes a smart-card reader and that the removable partis a smart card.
 5. Device according to claim 1, wherein one of theresponsive modules is a usage metering module.
 6. A device according toclaim 5, wherein one of the responsive modules is a time meteringmodule.
 7. A device according to claim 6, wherein the response of aparticular form includes a first state, authorizing of normal operationof the software, and a second state, authorizing of operation in adowngraded mode.
 8. A device according to claim 7, wherein the dedicatedunit further comprises a sequence control module configured as a onestate among N looped sequential handler, N being equal to at least two,each state being associated with a transition which conditions transferto this state, while the second state, whose input transition isdefined, directly or implicitly, by one at least of the communicationcommands, conditions certain operations in the card.
 9. A deviceaccording to claim 8, wherein the handler comprises at least threestates associated with three transitions including"withdrawal/insertion", "engagement" and "disengagement", which arerespectively valid when the removable part is inserted after having beenextracted, when an engage request is present, and when a disengagerequest is present.
 10. A device according to claim 9, wherein theengage request and disengage request are made internally in saiddedicated unit, engagement being effected when said dedicated unitreceives a communication command, and disengagement being effected whenno communication command has been received for a specified duration. 11.A device according to claim 10, wherein the sequence control moduleincludes a counter of the number of transfers and is capable ofdisabling the communications with other responsive modules when adefined count is reached.
 12. A device according to claim 11, whereinthe dedicated unit includes a software protection module includingprocessing means for formulating a response to an associatedcommunication command, the response is defined on the basis of data atleast partly contained in the removable medium.
 13. A device accordingto claim 12, wherein the software protection module is active at thesame time as the second state of the sequence control module.
 14. Adevice according to claim 13, wherein the time metering module containsa time credit which can be read by said central processing unit, thetime metering module is capable of decrementing a time credit dependingon communication commands, as well as of disabling certain communicationcommands, when the time credit is zero.
 15. A device according to claim14, wherein time metering module is active at the same time as thesecond state of the sequence control module.